A recent report by Prolexic Technologies documents that cyber attacks, including denial of service attacks, have increased by as much as 20 percent during the second quarter of 2013 compared to the first quarter. Partly in response to these increased attacks, the Securities Industry and Financial Markets Association conducted a voluntary test of the security systems of various financial institutions. During the week of July 13th, 50 banks of all sizes were going through the exercise to see how they would respond to coordinated cyber attacks against them. Add to this the exponential rise of mobile devices, and it is no wonder that bank boards are discussing cyber risk at an ever increasing rate.
Board Level Discussions
More and more often, my board presentations include a cyber-risk component. I am no longer surprised to hear directors question the protection of the bank’s non-tangible assets (such as client personal information) as much as they do the money in their vaults. The most common question I get from the board room is, “What can we do to minimize these new risks?” The first discussion is regarding an implementation of a detailed and outlined response plan in the event of a breach of network security. This plan should incorporate all of the people who touch cyber security including the chief security officer, CFO, GC, IT director, and Insurance broker/carrier. We then discuss people, process, technology, and insurance. Remember that hiring a top-notch chief security officer, implementing iron-clad processes around breach avoidance/response and purchasing the newest network security solutions will definitely put the bank at decreased risk of attack. But there is no silver bullet that can guarantee that the cyber criminals will not find a way to access your network. And as it is with all risk management, the way to encapsulate and mitigate that slice of liability exposure is through insurance. In the case of cyber exposure, the insurance product is typically referred to as network security and privacy liability or simply: cyber liability.
What is Covered by a Cyber Liability Policy
Believe it or not, this is actually not an easy question to answer. Unlike many other insurance products which cover one exposure, the typical cyber liability policy is almost like a restaurant menu where an insured has a lot of options as to what modules they want included in their policy. At a summary level, a cyber policy can include some or all of the following coverage:
Third Party Coverage (i.e. a lawsuit by a customer or other third party). This policy covers defense costs and ultimate settlement or damages relating to:
- Network Security: Covers customers bringing suit arising from a breach in network security.
- Privacy Liability: Covers claims from clients that typically arise from a release of their personal information through a non-cyber breach (i.e. dumpster dive, lost laptop, exposed customer list).
- Media Liability: Gets involved when a party brings suit alleging online copyright infringement.
- Regulatory: Provides coverage for governmental or regulatory claims arising from a data breach.
First Party Coverage. This policy reimburses the insured to make the company whole:
- Crisis Management: Covers public relations services needed in response to a breach.
- Breach Remediation: Covers costs for credit monitoring, forensics and restoration of data.
- Notification Costs: Covers costs to notify all customers (as dictated by most state laws) of a breach. This continues to be the single largest frequency of covered cyber claims. One carrier estimates an average notification cost of $30 per customer.
- Cyber Extortion: Potentially covers the investigation and actual extortion of breach or credible threat of a breach.
- E-business Interruption: Covers the loss of income and extra expense resulting from a computer attack (after a waiting period).
Each of these components has a cost associated with them. Based on the coverage selected and the size of the bank (often measured in revenue and/or number of records managed), we see premiums range from $5,000 to $20,000 per $1 million of coverage. So, we recommend a level of due diligence between the broker and the bank to best determine the appropriate cyber coverage for that institution.